> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bed-7559-api-key-exp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SyncedToADUser

> The Entra user is synchronized to the on-prem AD user.

<img noZoom src="https://mintcdn.com/specterops-bed-7559-api-key-exp/Q9Jppg_Pu54SydxZ/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=Q9Jppg_Pu54SydxZ&q=85&s=dab889e863a05e09b1378befc30bbb10" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The Entra user may be able to authenticate as the on-prem AD user with its own password if password write-back is enabled. The Entra user may already have the same password as the on-prem user if password hash synchronization is enabled.

## Abuse Info

An attacker may authenticate as the on-prem AD user using the Entra user’s credentials, for example by key-logging the user’s password, or by changing the Entra user’s password and waiting for the password write-back operation to complete.

## Opsec Considerations

The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password write-back operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry indicating the Entra user’s password was changed.

## Edge Schema

Source: [AZUser](/resources/nodes/az-user)\
Destination: [User](/resources/nodes/user)\
Traversable: **Yes**

## References

* [Concept SSPR WriteBack](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback)
* [Hybrid Attack Paths: New Views and Your Favorite Dog Learns an Old Trick](https://specterops.io/blog/2024/08/02/hybrid-attack-paths-new-views-and-your-favorite-dog-learns-an-old-trick/)
